This document presents a summary of a talk by Guy Podjarny on securing serverless applications, highlighting key security flaws and mitigation strategies. It outlines seven main points, including the importance of avoiding vulnerable libraries, managing secrets properly, and using granular permissions to enhance security. The document also emphasizes the need to build security measures into serverless architecture proactively.

1. snyk.io
Securing Serverless -
By Breaking In
Guy Podjarny, Snyk
@guypod

2. snyk.io
About Me
• Guy Podjarny, @guypod on Twitter
• CEO & Co-founder at Snyk
• History:
• Cyber Security part of Israel Defense Forces
• First Web App Firewall(AppShield), Dynamic/Static Tester(AppScan)
• Security: Worked in Sanctum -> Watchfire -> IBM
• Performance: Founded Blaze -> CTO @Akamai
• O’Reilly author, speaker

3. snyk.io
Serverless Security: The Theory
(talk from ServerlessConf)
https://www.youtube.com/watch?v=CiyUD_rI8D8
https://www.infoq.com/articles/serverless-security

4. snyk.io
Today - straight to practice!

5. snyk.io
Agenda
• Show a demo serverless app
• Hack it
• Explain the security flaws and how to fix them
• Summary
• Q&A

6. snyk.io
Introducing our app…

7. snyk.io
Vulnerable Libraries

8. snyk.io
Example: Fetch file & store in s3
(Serverless Framework Example)
19 Lines of Code
2 Direct dependencies
19 dependencies(incl. indirect)
191,155 Lines of Code

9. snyk.io

10. snyk.io
Serverless does secure
OS dependencies
Just not app dependencies

11. snyk.io
1. Beware Vulnerable Libraries
(test during dev, monitor over time)

12. snyk.io
Side Note:
Snyk isn’t only for Serverless

13. snyk.io
Denial of Service

14. snyk.io
2. ReDoS can still be costly
(won’t take you down, but can hike up bill)

15. snyk.io
Beware
Resource Exhaustion Attacks
Not all your services elastically scale

16. snyk.io
Secrets

17. snyk.io
3. Avoid secrets in deployed code
(env variables aren’t enough - Use a KMS!)

18. snyk.io
Serverless platforms offer a
Key Management System
Just use it!

19. snyk.io
Granularity

20. snyk.io
4. Deploy granular functions
(shared function code = greater exposure)

21. snyk.io
AWS Security Policy
Easier
Policy 3Policy 2
Policy 1
Safer

22. snyk.io
Permissions

23. snyk.io
5. Use Granular Policies
(only allow each function its minimum permissions)

24. snyk.io
A function is a perimeter
That needs to be secured
Perimeter Perimeter
Perimeter
Perimeter
Perimeter

25. snyk.io
Immutability

26. snyk.io
6. Don’t rely on immutability
(Lambda - and others - reuse servers)

27. snyk.io
Serverless user is typically
Low Privilege
Reducing impact substantially, but not eliminating it

28. snyk.io
7. Worry about all functions
(Every available function increases your attack surface)

29. snyk.io
Summary
1. Beware vulnerable libraries
2. ReDoS can still be costly
3. Avoid secrets in deployed code
4. Deploy granular functions
5. Use Granular Permissions
6. Don’t rely on immutability
7. Worry about all functions

30. snyk.io
Serverless Security: The Theory
(talk from ServerlessConf)
https://www.youtube.com/watch?v=CiyUD_rI8D8
https://www.infoq.com/articles/serverless-security

31. snyk.io
Serverless is defined now.
Let’s build Security in.
Thank You!
Guy Podjarny, Snyk
@guypod